Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Connect Directly

It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job

Meanwhile, organizations are looking at unconventional ways to staff up and train their workforce as technical expertise gets even harder to find.

As the demand for cybersecurity professionals continues to rise against the backdrop of a job candidate shortage, employers say only half of applicants (or fewer) actually meet the qualifications.

The new data from industry association ISACA also shows that finding and hiring qualified cybersecurity pros takes longer now: 32% of organizations say filling a position takes six months, up from 26% last year, and more than 60% of organizations say positions sit vacant for at least three months, up from 55% last year.

This steadily widening cybersecurity talent gap has forced organizations to consider nontraditional methods of hiring, retention, and training their workforce. The biggest deficit of talent they need to hire is on the technical side, a trend highlighted by both ISACA's study and one from Tripwire, both released last week at the RSA Conference in San Francisco.

"There's a drought of technical people, and it's been compounding over the years," says Frank Downs, director of ISACA's cybersecurity practice. "There aren't enough cybersecurity pros, period, and there really aren't enough technical cybersecurity professionals ... we need people who can sit down and perform" the technical tasks, he says.

Among the high-demand positions: security engineer, SOC analyst, penetration tester, and cloud security engineer, according to security experts with knowledge of the job market. "I no longer need a firewall engineer: I need a cloud security engineer," says Lamar Bailey, senior director of security research & development at Tripwire.

Some 80% of the nearly 340 IT security pros surveyed by Tripwire say it's getting harder to find skilled people to fill their open job positions. Plus, the necessary skillsets are changing, as security evolves to tackle the blend of enterprise, cloud, virtual, DevOps, and other technologies. Some 85% of them say their security teams are understaffed; 70% of the organizations in ISACA's survey said the same.

Keeping positions filled also is getting harder. Skilled cybersecurity pros unsurprisingly are often lured away from their jobs for higher pay or promotions, so it's difficult to keep a solid security team in place for long. "There's a cannibalization of talent. Once it's [talent] acquired, there are concerns around retention as other companies start reaching out and luring over" those staffers, ISACA's Downs says.

Organizations also are training up members of their existing staff to meet the new demands. "And whether [they're] training [an existing employee] or hiring somebody else, and outsourcing the firewall job to a third party ... they don't have enough people to run everything, and we're seeing core products getting ignored—such as vulnerability assessments," Bailey says.

Some organizations running vulnerability scans, for example, are not necessarily following through and applying the fixes and patches those tests find. "They're spreading themselves too thinly" and struggle to prioritize patches, he says.

That's where technical staffers come in, he says, to help analyze the actual risks to their networks in order to prioritize the fixes for specific flaws and machines.

But training up existing security staffers isn't always so simple, especially for more advanced technical roles. "If you're looking at a mid-level security pro who wants to get into higher-level [technical role], it's an investment of a couple of years. It's not like a five-day SANS class," Bailey explains. "Firewall-1 to cloud architect is going to be a lot of training," for instance, he says. And for some organizations, it's difficult to justify this type of training budget-wise, he adds.

While cybersecurity programs are growing on the higher education side, many fail when it comes to providing potential cyber professionals with the necessary—and most in-demand—technical skills. The problem is a lot of academic organizations don't necessarily teach all aspects of security that make an individual technically proficient," Downs says. "Academic organizations are still playing catch-up."

Still missing from some programs are hands-on malware analysis, for firewall configuration, for example, he says.

Ralph Sita, co-founder and CEO of online training firm Cybrary, says cybersecurity education and training doesn't necessarily need to follow the traditional academic trajectory. "You don't need to treat getting into this industry through an educational avenue like high school, college, and boom: you get a job," says Sita. "You have to treat it like a trade: like an auto mechanic, HVAC technician, or a plumber" with hands-on skills training, he says. "You have to touch and use [security] tools."

Purple Unicorns

In some cases, the next security technician at an organization could be an employee on the non-technical side of the house. Tripwire's Bailey says some existing positions more naturally can transition to cybersecurity jobs—accountants and legal experts, for example. "Some of my best [quality assurance] engineers are accountants because they are detail-oriented and good with numbers," Bailey says.

ISACA's Downs, also an adjunct cybersecurity professor at the University of Maryland-Baltimore (UMBC), says the average demographic of a cybersecurity job candidate is someone changing professions. One of the students in his cybersecurity Master's program last year was a former middle school teacher. "A lot of students have very transferrable [skills]. If they have tenacity, that will transition really well," he says, noting that the teacher in his class was his "star student" even among veteran IT pros looking to move to cybersecurity careers.

And while the hardest shoes to fill are technical ones in cybersecurity, the greatest missing skill for existing cybersecurity staffers is business acumen (nearly 50%), according to ISACA's report. Some 34% of organizations say technical know-how is the biggest missing skill among their security teams.

"They want more technical people, and they're now getting more choosy and want technical people who understand the business and can communicate that to the stakeholders," Downs says. "They want a purple unicorn."

The good news, though, is there's a subtle yet slow shift under way in loosening some of the overly ambitious job requirements for entry-level cybersecurity positions, according to Cybrary's Sita. "It's out of necessity" to fill the jobs since there's the Catch-22 of a security newbie not having all of the experience and certifications many of the entry-level jobs call for.

"I can't ask for an entry-level network engineer with five years' experience" anymore, he says.

Meanwhile, large tech and security firms such as IBM and Palo Alto Networks are offering their security teams training on Cybrary's platform as a way to grow and retain their security staff as well as to help advance candidate prospects with the requisite training for employment.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/18/2019 | 12:36:27 PM
Re: Horse shit
Nothing like good use of language - keep it clean here. 
[email protected],
User Rank: Moderator
3/14/2019 | 1:52:13 PM
IT Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Hi Kelly, I like your article, but it is a sore point for me.  I was trained not to present a problem without presenting recommendation to address the problem.  Now that does not mean the recommendation was 100% ironclad or that it was even accepted.  Even if the recommendation was rejected you still presented what you believed was a viable solution.  The article talks about the problem but does not elaborate enough on possible solutions.  So, I would like to suggest a solution after I ask a few questions.

Questions for ISACA

- How many registered IT Security certified professionals are registered?

- Of those, how many are entry level?

- Of those, how many are not working in an IT Security related position?

- What are the hurdles?

Why are these entry level Security professionals not able to get hired?  I think this is the question which should be addressed.

Questions for Companies

How many, entry level IT Security professionals, have they invested in?

I believe the notion of there being a drought can be addressed with some creativity by those already in the field, Sr. IT Security professionals and Execs.  Also, if the need is so great why are companies stealing employees from other companies by dangling the $$$ carrot?  That is not a solution, it is only a band-aid which creates a false gap.  Can you tell me the stats on the number of certified IT Security professionals that are under employed or unemployed?

Suggested solution

Create a contractual obligation to bring entry level certified IT Security professionals on board with structured OJT objectives, timelines and support.  By no means is this a silver bullet, but it is an option in conjunction with platforms like Cybrary.  How many of the companies surveyed considered this option or something similar?  Many of these entry level candidates have sacrificed time and hard-earned money to pay for their own courses and sims to earn the certifications.  Myself being one of them.  These personnel must be guided and evaluated on their performance, progress and proficiency which can benefits the company, the senior IT Security staff and the individual.   

I argue, if one can make a case for transitioning from another non-IT role into IT Security, then OJT with an entry level certified IT Security professional is also a viable path. 

That's just my perspective from an entry level point of view.
User Rank: Apprentice
3/14/2019 | 12:26:18 PM
Re: Upward learning curve
And yet, despite a notable shortage, wages are not risng significantly.
User Rank: Apprentice
3/13/2019 | 11:43:13 PM
Horse shit
User Rank: Apprentice
3/13/2019 | 10:59:25 AM
Re: Upward learning curve
Kelly, An excellent update on an ever increasingly difficult situation for the industry.  The talent problem will most likely get worse before it gets better.  Firms need to make the investment in junior level talent and train them up thier own way with incentives to stay onboard. Simply poaching talent from one firm to staff another is a sure fire way to drive up prices and defer a mounting problem.  It will be interesting to see how this Cybersecurity Talent shortage evolves over the next 3-5 years.  
User Rank: Ninja
3/12/2019 | 3:52:29 PM
Upward learning curve
When I was a self-employed consultant in NYState, my basic knowledge of malware was periodic scans with Malwarebytes and anti-virus.  That's it.  Now having spent 18 months with a Malware forensics department, I am shocked at the little amount of experience and knowledge I actually had.  I was never trained.  A Novell CNE used to go a long way - it is history now.  But practical experience with MD5 Threat hunting and Virustotal and all of that was never exposed ot me - well, I survived a ransomware attack for a client with 3 hours of restore and 98% data restoration - not bad indeed.  But that was easy restore from a decided client computer.  Easy.  Now I live in fear of what i was not doing and so the current skills shortage is the same event.  True we have more resources now online but even so ....... it takes years to gain knowledge and hands-on-keyboard work.  
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...